[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
9 X9 w- d8 }8 k1 Q
Keyboard Interrupt Hook using I/O APIC
: [* d' w. i- O9 ]" I- ~7 P; R
By: chpie
Keyboard Interrupt Hooking by manipulating the I/O APIC
: p$ W6 K; A: R9 ^* B$ @( dtested on the winXP, Pentium D Hyper-threading Enabled.
6 ^( Y% m. p1 C
8 A; O( [7 L$ Q
; O1 R& n8 Q1 o7 vSummary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
7 {0 @5 ^* E+ J' g1 {the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.
) U+ a% ~$ U; ]
- It is higher priority of the hooking than the direct
+ {; l3 J* L3 f3 T2 _! J) nmodification of the I/O APIC's vector.
. e3 P/ P0 x0 u+ h1 i5 |  @- The vector can be hidden on the thread getting the keyboard
vector from the I/O APIC.
  U# e  m  y- \/ b/ I$ U
Flow ::
+ Z6 @5 p# D) K8 x" k) E
6 S5 G6 S# `8 @0 K! z1. IRQ 1 Assert !!!
0 a% s5 g7 M. B6 I/ A1 `/ z0 D2. The I/O APIC receives the signal and refers the I/O Redirection table.
3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
5. A processor receives the signal.
# K$ g+ t  h. n. S( o1 C/ F6. The processor Assert the INTA signal.
0 r2 \; R' c! s7. The I/O APIC acknowledged.
# ]# _# b5 ^9 F) a/ b/ d8. The processor Assert the second INTA signal.
% `9 \& t$ u: m2 w, W9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
% u; h9 ?2 ]: f4 j6 o10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
11. The processor execute 2 bytes sended.
12. our interrupt handler executed.

& e' H8 L" f6 b! }' p7 J* D
; l# V1 h3 t, lsourcecode and binary are available on the
% l7 I* I% ?/ n1 ?http://www.rootkit.com/vault/chpie/apic_keyboard.zip